the leading bug bounty and vulnerability disclosure platform, today
announced findings from the 2018
Hacker-Powered Security Report, based on over 72,000 resolved
security vulnerabilities, 1,000 customer programs and more than $31
million in bounties awarded to hackers from over 100 countries. The
annual report is a benchmark study of the bug bounty and vulnerability
disclosure ecosystem based on the largest data set of reported
Hackers are finding more severe vulnerabilities than ever before. The
total number of high or critical severity vulnerabilities increased by
22 percent in 2017. Furthermore, 24 percent of resolved vulnerabilities
were classified as high to critical severity across industries. As a
result, bounties for high impact findings are rising. The top bounty
awarded for a single report reached $75,000 in 2017. The most
competitive programs like Google, Microsoft and Intel are offering
$250,000 bounty awards for critical issues. Meanwhile, false positives
are becoming a relic of the past, with 80 percent Signal
platform-wide, meaning 80 percent of submitted and qualified reports are
“Crowdsourced security testing is rapidly approaching critical mass, and
ongoing adoption and uptake by buyers is expected to be rapid,” Gartner
reported. Governments are leading the way with adoption globally. In the
government sector there was a 125 percent increase year over year with
new program launches including the European Commission and the Ministry
of Defense Singapore, joining the U.S. Department of Defense on
HackerOne. Proposed legislations like Hack the Department of Homeland
Security Act, Hack
Your State Department Act, Prevent Election Voting Act, and the
Department of Justice Vulnerability Disclosure Framework further
demonstrate public sector support for hacker-powered security.
Industries beyond technology continued to increase share of the overall
hacker-powered security markets. Consumer Goods, Financial Services &
Insurance, Government, and Telecommunications account for 43 percent of
today’s bug bounty programs. Automotive programs increased 50% in the
past year and Telecommunications programs increased 71 percent.
Enterprises across industries saw a 54 percent increase in year over
year VDP adoption. Still, leading organizations remain vastly
underprepared for effective discovery, communication, remediation, and
disclosure of vulnerabilities as 93% of the 2017 Forbes Global 2000 list
do not have a policy to receive, respond, and resolve critical bug
reports submitted by third parties.
“The world is embracing the highly skilled and creative hacker community
to help reduce cyber risk,” said Marten Mickos, CEO of HackerOne. “A
model once reserved for the largest, tech-advanced companies in the
world, is now being implemented by organizations of any size, industry
and connected corner of the globe. Hacker-powered security is reaching
critical mass, and everyone is benefitting from a more secure internet.”
The most authoritative report on the hacker-powered security ecosystem.
The 2018 Hacker-Powered Security Report examines data collected from
over 1,000 bug bounty and vulnerability disclosure programs around the
world. The report includes analysis of nearly 72,000 resolved
vulnerabilities, plus insight from HackerOne’s community of over 200,000
registered hackers. HackerOne also analyzed VDP data from the Forbes
Global 2000 to better understand hacker-powered security adoption.
The full report is available at https://www.hackerone.com/resources/hacker-powered-security-report.
HackerOne is the #1 hacker-powered
security platform, helping organizations receive and resolve
critical vulnerabilities before they can be exploited. More Fortune 500
and Forbes Global 1000 companies trust HackerOne more than any other
hacker-powered security partner. Organizations, including the U.S.
Department of Defense, U.S. General Service Administration, General
Motors, Google, Twitter, GitHub, Nintendo, Lufthansa, Panasonic
Avionics, Qualcomm, Starbucks, Dropbox, Intel, and the CERT Coordination
Center trust HackerOne to find critical software vulnerabilities.
HackerOne customers have resolved over 72,000 vulnerabilities and
awarded over $31M in bug
bounties. HackerOne is headquartered in San Francisco with offices
in London, New York, and the Netherlands.
View source version on businesswire.com: https://www.businesswire.com/news/home/20180711005224/en/